{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33747", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-23T18:30:14.124Z", "datePublished": "2026-03-27T00:49:06.165Z", "dateUpdated": "2026-03-27T00:49:06.165Z"}, "containers": {"cna": {"title": "BuildKit vulnerable to malicious frontend causing file escape outside of storage root", "problemTypes": [{"descriptions": [{"cweId": "CWE-22", "lang": "en", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 8.4, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/moby/buildkit/security/advisories/GHSA-4c29-8rgm-jvjj", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/moby/buildkit/security/advisories/GHSA-4c29-8rgm-jvjj"}, {"name": "https://github.com/moby/buildkit/releases/tag/v0.28.1", "tags": ["x_refsource_MISC"], "url": "https://github.com/moby/buildkit/releases/tag/v0.28.1"}], "affected": [{"vendor": "moby", "product": "buildkit", "versions": [{"version": "< 0.28.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-27T00:49:06.165Z"}, "descriptions": [{"lang": "en", "value": "BuildKit is a toolkit for converting source code to build artifacts in an efficient, expressive and repeatable manner. Prior to version 0.28.1, when using a custom BuildKit frontend, the frontend can craft an API message that causes files to be written outside of the BuildKit state directory for the execution context. The issue has been fixed in v0.28.1. The vulnerability requires using an untrusted BuildKit frontend set with `#syntax` or `--build-arg BUILDKIT_SYNTAX`. Using these options with a well-known frontend image like `docker/dockerfile` is not affected."}], "source": {"advisory": "GHSA-4c29-8rgm-jvjj", "discovery": "UNKNOWN"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "BuildKit is a toolkit for converting source code to build artifacts in an efficient, expressive and repeatable manner. Prior to version 0.28.1, when using a custom BuildKit frontend, the frontend can craft an API message that causes files to be written outside of the BuildKit state directory for the execution context. The issue has been fixed in v0.28.1. The vulnerability requires using an untrusted BuildKit frontend set with `#syntax` or `--build-arg BUILDKIT_SYNTAX`. Using these options with a well-known frontend image like `docker/dockerfile` is not affected."}], "id": "CVE-2026-33747", "lastModified": "2026-03-27T01:16:21.330", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 8.4, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.5, "impactScore": 5.9, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-27T01:16:21.330", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/moby/buildkit/releases/tag/v0.28.1"}, {"source": "security-advisories@github.com", "url": "https://github.com/moby/buildkit/security/advisories/GHSA-4c29-8rgm-jvjj"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,0.28.1)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "buildkit", "source": "cna", "vendor": "moby"}, "product": "buildkit", "vendor": "moby"}], "analysis": {"en": {"generated_at": "2026-03-27T06:22:24.294858+00:00", "value": {"mitigation_remediation": ["Upgrade BuildKit to version 0.28.1 or later", "Disallow custom frontends or ensure they are sourced from trusted images when using older BuildKit versions"], "summary": {"action": "Immediate Patch", "impact": "Remote code execution"}, "threat_synthesis": {"affected_systems": "The vulnerability affects BuildKit releases from moby prior to version 0.28.1. Any instance that accepts custom frontends via the #syntax directive or the BUILDKIT_SYNTAX build argument is susceptible, while well\u2011known, trusted frontends such as docker/dockerfile are not impacted. All builds executed with an untrusted custom frontend run in the affected versions are at risk.", "description_and_impact": "BuildKit allows the use of custom frontends that can send API messages to the build daemon. A malicious frontend can construct a message that causes files to be written outside the build state directory, effectively escaping the intended filesystem boundary. This flaw, classified as a file path traversal, can lead to arbitrary file writes and, depending on the content written, may enable remote code execution or privilege escalation. The CVSS score of 8.4 reflects the high severity of this improper access control weakness.", "risk_and_exploitability": "The lack of an EPSS score and absence from the CISA KEV catalog do not diminish the risk; the flaw can be exploited by anyone who can inject or dictate a custom frontend into a BuildKit\u2011enabled build environment. The CVSS rating of 8.4 indicates a high likelihood of successful exploitation if the attacker can leverage the vulnerable frontend. Monitoring of build configurations and controlling frontend sources are recommended until the issue is patched."}}}}, "created": "2026-03-27T08:31:03.528000+00:00", "updated": "2026-03-27T09:22:25.956492+00:00", "vendors": ["moby", "moby$PRODUCT$buildkit"]}